Paul Thomas Rowe

Software Automation Engineer

  • June 11th, 2019
  • Technology
  • Home/
  • Blog/
  • CVE and CVSS Briefing

CVE and CVSS Briefing

Common Vulnerabilities and Exposures

Common Vulnerabilities and Exposures, commonly known as CVEs, are recorded information and security issues that aim to create an easily accessible list of security threats for professionals. It's sponsored by the United States Department of Homeland Security, with the intent of beign readily available for security administrators who need information about specific security threats.

Assembling all of this information into one, trustworthy, organized place does a tremendous service to security experts, making the task of solving most security issues much less burdensome. CVE defines a vulnerability as "a mistake in software code that provides an attack with direct access to a system or network." Vulnerabilities create the possibility for an attacker to illegitimately gain access to a given system. Successful implementation of these vulnerabilities could result in damaged equipment, unwanted access privileges, or tampered data. The potential implications of this, depending on the targeted system, include damaged customer trust, financial loss, even loss of life.

Common Vulnerability Scoring System

The Common Vulnerability Scoring System is commonly known as CVSS. It's a free service that evaluates the severity of a given vulnerability, by assigning different categorical severity scores to vulnerabilities. The Base, Temporal and Environmental score categories range in ranking from 0 to 10. The combination of these scores create the CVSS score. Base Score considers factors like user interaction and attack complexity. Temporal score considers remediation level and exploitability. Environment score considers exploit availability and environment controls. When calculating these scores, the base score affects the temporal score, and both influence the calculation of the environmental score.

An example of the usefulness of CVEs and CVSSs when evaluating the security of a program are Symantec and Norton Antivirus. Their software is installed on high-level business and governmental machines, meaning updates must be approved and processed before being pushed to these devices. The ramifications of this implies that the described vulnerable software is still in widespread use on machines today.

    Symantec Antivirus in 2016 alone had the following vulnerabilities:
  • CVE-2016-2207 (CVSS v3 Base Score: 8.4) - Symantec Antivirus multiple remote memory corruption unpacking RAR
  • CVE-2016-2208 (CVSS v3 Base Score: 9.1) - Symantec antivirus products use common unpackers to extract malware binaries when scanning a system. A heap overflow vulnerability in the ASPack unpacker could allow an unauthenticated remote attacker to gain root privileges on Linux or OSX platforms. The vulnerability can be triggered remotely using a malicious file (via email or link) with no user interaction.
  • CVE-2016-2209 (CVSS v3 Base Score: 7.3) - Symantec: PowerPoint misaligned stream-cache remote stack buffer overflow
  • CVE-2016-2210 (CVSS v3 Base Score: 7.3) - Symantec: Remote Stack Buffer Overflow in dec2lha library
  • CVE-2016-2211 (CVSS v3 Base Score: 7.8) - Symantec: Antivirus remote memory corruption unpacking MSPACK Archives
  • CVE-2016-3644 (CVSS v3 Base Score: 8.4) - Symantec: Heap overflow modifying MIME messages
  • CVE-2016-3545 (CVSS v3 Base Score: 5.3) - Symantec: Integer Overflow in TNEF decoder
  • CVE-2016-3646 (CVSS v4 Base Score: 8.4) - Symantec: missing bounds checks in dec2zip ALPkOldFormatDecompressor::UnShrink

In summary, these are very powerful tools, both for attackers and defenders. Anyone with knowledge of a systems's running software can take full advantage of CVE's repository of knowledge to target and carry out desired attacks or mitigations depending on the severity of the CVSS score.

Works Cited

Want to learn more?

Let’s Chat


695 Town Center Drive, Suite 1200
Costa Mesa, CA 92626
United States